<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This file documents the use of the GNU compilers.

Copyright (C) 1988-2023 Free Software Foundation, Inc.

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with the
Invariant Sections being "Funding Free Software", the Front-Cover
Texts being (a) (see below), and with the Back-Cover Texts being (b)
(see below).  A copy of the license is included in the section entitled
"GNU Free Documentation License".

(a) The FSF's Front-Cover Text is:

A GNU Manual

(b) The FSF's Back-Cover Text is:

You have freedom to copy and modify this GNU Manual, like GNU
     software.  Copies published by the Free Software Foundation raise
     funds for GNU development. -->
<!-- Created by GNU Texinfo 6.7, http://www.gnu.org/software/texinfo/ -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Static Analyzer Options (Using the GNU Compiler Collection (GCC))</title>

<meta name="description" content="Static Analyzer Options (Using the GNU Compiler Collection (GCC))">
<meta name="keywords" content="Static Analyzer Options (Using the GNU Compiler Collection (GCC))">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<link href="index.html" rel="start" title="Top">
<link href="Indices.html" rel="index" title="Indices">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Invoking-GCC.html" rel="up" title="Invoking GCC">
<link href="Debugging-Options.html" rel="next" title="Debugging Options">
<link href="Warning-Options.html" rel="prev" title="Warning Options">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
-->
</style>


</head>

<body lang="en_US">
<span id="Static-Analyzer-Options"></span><div class="header">
<p>
Next: <a href="Debugging-Options.html" accesskey="n" rel="next">Debugging Options</a>, Previous: <a href="Warning-Options.html" accesskey="p" rel="prev">Warning Options</a>, Up: <a href="Invoking-GCC.html" accesskey="u" rel="up">Invoking GCC</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Indices.html" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<span id="Options-That-Control-Static-Analysis"></span><h3 class="section">3.9 Options That Control Static Analysis</h3>

<dl compact="compact">
<dd><span id="index-analyzer"></span>
<span id="index-fanalyzer"></span>
<span id="index-fno_002danalyzer"></span>
</dd>
<dt><code>-fanalyzer</code></dt>
<dd><p>This option enables an static analysis of program flow which looks
for &ldquo;interesting&rdquo; interprocedural paths through the
code, and issues warnings for problems found on them.
</p>
<p>This analysis is much more expensive than other GCC warnings.
</p>
<p>In technical terms, it performs coverage-guided symbolic execution of
the code being compiled.  It is neither sound nor complete: it can
have false positives and false negatives.  It is a bug-finding tool,
rather than a tool for proving program correctness.
</p>
<p>The analyzer is only suitable for use on C code in this release.
</p>
<p>Enabling this option effectively enables the following warnings:
</p>
<div class="example">
<pre class="example">-Wanalyzer-allocation-size
-Wanalyzer-deref-before-check
-Wanalyzer-double-fclose
-Wanalyzer-double-free
-Wanalyzer-exposure-through-output-file
-Wanalyzer-exposure-through-uninit-copy
-Wanalyzer-fd-access-mode-mismatch
-Wanalyzer-fd-double-close
-Wanalyzer-fd-leak
-Wanalyzer-fd-phase-mismatch
-Wanalyzer-fd-type-mismatch
-Wanalyzer-fd-use-after-close
-Wanalyzer-fd-use-without-check
-Wanalyzer-file-leak
-Wanalyzer-free-of-non-heap
-Wanalyzer-imprecise-fp-arithmetic
-Wanalyzer-infinite-recursion
-Wanalyzer-jump-through-null
-Wanalyzer-malloc-leak
-Wanalyzer-mismatching-deallocation
-Wanalyzer-null-argument
-Wanalyzer-null-dereference
-Wanalyzer-out-of-bounds
-Wanalyzer-possible-null-argument
-Wanalyzer-possible-null-dereference
-Wanalyzer-putenv-of-auto-var
-Wanalyzer-shift-count-negative
-Wanalyzer-shift-count-overflow
-Wanalyzer-stale-setjmp-buffer
-Wanalyzer-unsafe-call-within-signal-handler
-Wanalyzer-use-after-free
-Wanalyzer-use-of-pointer-in-stale-stack-frame
-Wanalyzer-use-of-uninitialized-value
-Wanalyzer-va-arg-type-mismatch
-Wanalyzer-va-list-exhausted
-Wanalyzer-va-list-leak
-Wanalyzer-va-list-use-after-va-end
-Wanalyzer-write-to-const
-Wanalyzer-write-to-string-literal

</pre></div>

<p>This option is only available if GCC was configured with analyzer
support enabled.
</p>
<span id="index-Wanalyzer_002dtoo_002dcomplex"></span>
<span id="index-Wno_002danalyzer_002dtoo_002dcomplex"></span>
</dd>
<dt><code>-Wanalyzer-too-complex</code></dt>
<dd><p>If <samp>-fanalyzer</samp> is enabled, the analyzer uses various heuristics
to attempt to explore the control flow and data flow in the program,
but these can be defeated by sufficiently complicated code.
</p>
<p>By default, the analysis silently stops if the code is too
complicated for the analyzer to fully explore and it reaches an internal
limit.  The <samp>-Wanalyzer-too-complex</samp> option warns if this occurs.
</p>
<span id="index-Wanalyzer_002dallocation_002dsize"></span>
<span id="index-Wno_002danalyzer_002dallocation_002dsize"></span>
</dd>
<dt><code>-Wno-analyzer-allocation-size</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it;
to disable it, use <samp>-Wno-analyzer-allocation-size</samp>.
</p>
<p>This diagnostic warns for paths through the code in which a pointer to
a buffer is assigned to point at a buffer with a size that is not a
multiple of <code>sizeof (*pointer)</code>.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/131.html">CWE-131: Incorrect Calculation of Buffer Size</a>.
</p>
<span id="index-Wanalyzer_002dderef_002dbefore_002dcheck"></span>
<span id="index-Wno_002danalyzer_002dderef_002dbefore_002dcheck"></span>
</dd>
<dt><code>-Wno-analyzer-deref-before-check</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-deref-before-check</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a pointer
is checked for <code>NULL</code> *after* it has already been
dereferenced, suggesting that the pointer could have been NULL.
Such cases suggest that the check for NULL is either redundant,
or that it needs to be moved to before the pointer is dereferenced.
</p>
<p>This diagnostic also considers values passed to a function argument
marked with <code>__attribute__((nonnull))</code> as requiring a non-NULL
value, and thus will complain if such values are checked for <code>NULL</code>
after returning from such a function call.
</p>
<p>This diagnostic is unlikely to be reported when any level of optimization
is enabled, as GCC&rsquo;s optimization logic will typically consider such
checks for NULL as being redundant, and optimize them away before the
analyzer &quot;sees&quot; them.  Hence optimization should be disabled when
attempting to trigger this diagnostic.
</p>
<span id="index-Wanalyzer_002ddouble_002dfclose"></span>
<span id="index-Wno_002danalyzer_002ddouble_002dfclose"></span>
</dd>
<dt><code>-Wno-analyzer-double-fclose</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-double-fclose</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a <code>FILE *</code>
can have <code>fclose</code> called on it more than once.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/1341.html">CWE-1341: Multiple Releases of Same Resource or Handle</a>.
</p>
<span id="index-Wanalyzer_002ddouble_002dfree"></span>
<span id="index-Wno_002danalyzer_002ddouble_002dfree"></span>
</dd>
<dt><code>-Wno-analyzer-double-free</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-double-free</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a pointer
can have a deallocator called on it more than once, either <code>free</code>,
or a deallocator referenced by attribute <code>malloc</code>.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/415.html">CWE-415: Double Free</a>.
</p>
<span id="index-Wanalyzer_002dexposure_002dthrough_002doutput_002dfile"></span>
<span id="index-Wno_002danalyzer_002dexposure_002dthrough_002doutput_002dfile"></span>
</dd>
<dt><code>-Wno-analyzer-exposure-through-output-file</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-exposure-through-output-file</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
security-sensitive value is written to an output file
(such as writing a password to a log file).
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/532.html">CWE-532: Information Exposure Through Log Files</a>.
</p>
<span id="index-Wanalyzer_002dexposure_002dthrough_002duninit_002dcopy"></span>
<span id="index-Wno_002danalyzer_002dexposure_002dthrough_002duninit_002dcopy"></span>
</dd>
<dt><code>-Wanalyzer-exposure-through-uninit-copy</code></dt>
<dd><p>This warning requires both <samp>-fanalyzer</samp> and the use of a plugin
to specify a function that copies across a &ldquo;trust boundary&rdquo;.  Use
<samp>-Wno-analyzer-exposure-through-uninit-copy</samp> to disable it.
</p>
<p>This diagnostic warns for &ldquo;infoleaks&rdquo; - paths through the code in which
uninitialized values are copied across a security boundary
(such as code within an OS kernel that copies a partially-initialized
struct on the stack to user space).
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Exposure of Sensitive Information to an Unauthorized Actor</a>.
</p>
<span id="index-Wanalyzer_002dfd_002daccess_002dmode_002dmismatch"></span>
<span id="index-Wno_002danalyzer_002dfd_002daccess_002dmode_002dmismatch"></span>
</dd>
<dt><code>-Wno-analyzer-fd-access-mode-mismatch</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-fd-access-mode-mismatch</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through code in which a
<code>read</code> on a write-only file descriptor is attempted, or vice versa.
</p>
<p>This diagnostic also warns for code paths in a which a function with attribute
<code>fd_arg_read (N)</code> is called with a file descriptor opened with
<code>O_WRONLY</code> at referenced argument <code>N</code> or a function with attribute
<code>fd_arg_write (N)</code> is called with a file descriptor opened with
<code>O_RDONLY</code> at referenced argument <var>N</var>.
</p>
<span id="index-Wanalyzer_002dfd_002ddouble_002dclose"></span>
<span id="index-Wno_002danalyzer_002dfd_002ddouble_002dclose"></span>
</dd>
<dt><code>-Wno-analyzer-fd-double-close</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-fd-double-close</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through code in which a
file descriptor can be closed more than once.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/1341.html">CWE-1341: Multiple Releases of Same Resource or Handle</a>.
</p>
<span id="index-Wanalyzer_002dfd_002dleak"></span>
<span id="index-Wno_002danalyzer_002dfd_002dleak"></span>
</dd>
<dt><code>-Wno-analyzer-fd-leak</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-fd-leak</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through code in which an
open file descriptor is leaked.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/775.html">CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime</a>.
</p>
<span id="index-Wanalyzer_002dfd_002dphase_002dmismatch"></span>
<span id="index-Wno_002danalyzer_002dfd_002dphase_002dmismatch"></span>
</dd>
<dt><code>-Wno-analyzer-fd-phase-mismatch</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-fd-phase-mismatch</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through code in which an operation is
attempted in the wrong phase of a file descriptor&rsquo;s lifetime.
For example, it will warn on attempts to call <code>accept</code> on a stream
socket that has not yet had <code>listen</code> successfully called on it.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/666.html">CWE-666: Operation on Resource in Wrong Phase of Lifetime</a>.
</p>
<span id="index-Wanalyzer_002dfd_002dtype_002dmismatch"></span>
<span id="index-Wno_002danalyzer_002dfd_002dtype_002dmismatch"></span>
</dd>
<dt><code>-Wno-analyzer-fd-type-mismatch</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-fd-type-mismatch</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through code in which an
operation is attempted on the wrong type of file descriptor.
For example, it will warn on attempts to use socket operations
on a file descriptor obtained via <code>open</code>, or when attempting
to use a stream socket operation on a datagram socket.
</p>
<span id="index-Wanalyzer_002dfd_002duse_002dafter_002dclose"></span>
<span id="index-Wno_002danalyzer_002dfd_002duse_002dafter_002dclose"></span>
</dd>
<dt><code>-Wno-analyzer-fd-use-after-close</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-fd-use-after-close</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through code in which a
read or write is called on a closed file descriptor.
</p>
<p>This diagnostic also warns for paths through code in which
a function with attribute <code>fd_arg (N)</code> or <code>fd_arg_read (N)</code>
or <code>fd_arg_write (N)</code> is called with a closed file descriptor at
referenced argument <code>N</code>.
</p>
<span id="index-Wanalyzer_002dfd_002duse_002dwithout_002dcheck"></span>
<span id="index-Wno_002danalyzer_002dfd_002duse_002dwithout_002dcheck"></span>
</dd>
<dt><code>-Wno-analyzer-fd-use-without-check</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-fd-use-without-check</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through code in which a
file descriptor is used without being checked for validity.
</p>
<p>This diagnostic also warns for paths through code in which
a function with attribute <code>fd_arg (N)</code> or <code>fd_arg_read (N)</code>
or <code>fd_arg_write (N)</code> is called with a file descriptor, at referenced
argument <code>N</code>, without being checked for validity.
</p>
<span id="index-Wanalyzer_002dfile_002dleak"></span>
<span id="index-Wno_002danalyzer_002dfile_002dleak"></span>
</dd>
<dt><code>-Wno-analyzer-file-leak</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-file-leak</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
<code>&lt;stdio.h&gt;</code> <code>FILE *</code> stream object is leaked.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/775.html">CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime</a>.
</p>
<span id="index-Wanalyzer_002dfree_002dof_002dnon_002dheap"></span>
<span id="index-Wno_002danalyzer_002dfree_002dof_002dnon_002dheap"></span>
</dd>
<dt><code>-Wno-analyzer-free-of-non-heap</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-free-of-non-heap</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which <code>free</code>
is called on a non-heap pointer (e.g. an on-stack buffer, or a global).
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/590.html">CWE-590: Free of Memory not on the Heap</a>.
</p>
<span id="index-Wanalyzer_002dimprecise_002dfp_002darithmetic"></span>
<span id="index-Wno_002danalyzer_002dimprecise_002dfp_002darithmetic"></span>
</dd>
<dt><code>-Wno-analyzer-imprecise-fp-arithmetic</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-imprecise-fp-arithmetic</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which floating-point
arithmetic is used in locations where precise computation is needed.  This
diagnostic only warns on use of floating-point operands inside the
calculation of an allocation size at the moment.
</p>
<span id="index-Wanalyzer_002dinfinite_002drecursion"></span>
<span id="index-Wno_002danalyzer_002dinfinite_002drecursion"></span>
</dd>
<dt><code>-Wno-analyzer-infinite-recursion</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-infinite-recursion</samp> to disable it.
</p>
<p>This diagnostics warns for paths through the code which appear to
lead to infinite recursion.
</p>
<p>Specifically, when the analyzer &quot;sees&quot; a recursive call, it will compare
the state of memory at the entry to the new frame with that at the entry
to the previous frame of that function on the stack.  The warning is
issued if nothing in memory appears to be changing; any changes observed
to parameters or globals are assumed to lead to termination of the
recursion and thus suppress the warning.
</p>
<p>This diagnostic is likely to miss cases of infinite recursion that
are convered to iteration by the optimizer before the analyzer &quot;sees&quot;
them.  Hence optimization should be disabled when attempting to trigger
this diagnostic.
</p>
<p>Compare with <samp>-Winfinite-recursion</samp>, which provides a similar
diagnostic, but is implemented in a different way.
</p>
<span id="index-Wanalyzer_002djump_002dthrough_002dnull"></span>
<span id="index-Wno_002danalyzer_002djump_002dthrough_002dnull"></span>
</dd>
<dt><code>-Wno-analyzer-jump-through-null</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-jump-through-null</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a <code>NULL</code>
function pointer is called.
</p>
<span id="index-Wanalyzer_002dmalloc_002dleak"></span>
<span id="index-Wno_002danalyzer_002dmalloc_002dleak"></span>
</dd>
<dt><code>-Wno-analyzer-malloc-leak</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-malloc-leak</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
pointer allocated via an allocator is leaked: either <code>malloc</code>,
or a function marked with attribute <code>malloc</code>.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/401.html">CWE-401: Missing Release of Memory after Effective Lifetime</a>.
</p>
<span id="index-Wanalyzer_002dmismatching_002ddeallocation"></span>
<span id="index-Wno_002danalyzer_002dmismatching_002ddeallocation"></span>
</dd>
<dt><code>-Wno-analyzer-mismatching-deallocation</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-mismatching-deallocation</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which the
wrong deallocation function is called on a pointer value, based on
which function was used to allocate the pointer value.  The diagnostic
will warn about mismatches between <code>free</code>, scalar <code>delete</code>
and vector <code>delete[]</code>, and those marked as allocator/deallocator
pairs using attribute <code>malloc</code>.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/762.html">CWE-762: Mismatched Memory Management Routines</a>.
</p>
<span id="index-Wanalyzer_002dout_002dof_002dbounds"></span>
<span id="index-Wno_002danalyzer_002dout_002dof_002dbounds"></span>
</dd>
<dt><code>-Wno-analyzer-out-of-bounds</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-out-of-bounds</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a buffer is
definitely read or written out-of-bounds.  The diagnostic applies for
cases where the analyzer is able to determine a constant offset and for
accesses past the end of a buffer, also a constant capacity.  Further,
the diagnostic does limited checking for accesses past the end when the
offset as well as the capacity is symbolic.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/119.html">CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer</a>.
</p>
<span id="index-Wanalyzer_002dpossible_002dnull_002dargument"></span>
<span id="index-Wno_002danalyzer_002dpossible_002dnull_002dargument"></span>
</dd>
<dt><code>-Wno-analyzer-possible-null-argument</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-possible-null-argument</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
possibly-NULL value is passed to a function argument marked
with <code>__attribute__((nonnull))</code> as requiring a non-NULL
value.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/690.html">CWE-690: Unchecked Return Value to NULL Pointer Dereference</a>.
</p>
<span id="index-Wanalyzer_002dpossible_002dnull_002ddereference"></span>
<span id="index-Wno_002danalyzer_002dpossible_002dnull_002ddereference"></span>
</dd>
<dt><code>-Wno-analyzer-possible-null-dereference</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-possible-null-dereference</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
possibly-NULL value is dereferenced.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/690.html">CWE-690: Unchecked Return Value to NULL Pointer Dereference</a>.
</p>
<span id="index-Wanalyzer_002dnull_002dargument"></span>
<span id="index-Wno_002danalyzer_002dnull_002dargument"></span>
</dd>
<dt><code>-Wno-analyzer-null-argument</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-null-argument</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
value known to be NULL is passed to a function argument marked
with <code>__attribute__((nonnull))</code> as requiring a non-NULL
value.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>.
</p>
<span id="index-Wanalyzer_002dnull_002ddereference"></span>
<span id="index-Wno_002danalyzer_002dnull_002ddereference"></span>
</dd>
<dt><code>-Wno-analyzer-null-dereference</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-null-dereference</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
value known to be NULL is dereferenced.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>.
</p>
<span id="index-Wanalyzer_002dputenv_002dof_002dauto_002dvar"></span>
<span id="index-Wno_002danalyzer_002dputenv_002dof_002dauto_002dvar"></span>
</dd>
<dt><code>-Wno-analyzer-putenv-of-auto-var</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-putenv-of-auto-var</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
call to <code>putenv</code> is passed a pointer to an automatic variable
or an on-stack buffer.
</p>
<p>See <a href="https://wiki.sei.cmu.edu/confluence/x/6NYxBQ">POS34-C. Do not call putenv() with a pointer to an automatic variable as the argument</a>.
</p>
<span id="index-Wanalyzer_002dshift_002dcount_002dnegative"></span>
<span id="index-Wno_002danalyzer_002dshift_002dcount_002dnegative"></span>
</dd>
<dt><code>-Wno-analyzer-shift-count-negative</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-shift-count-negative</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
shift is attempted with a negative count.  It is analogous to
the <samp>-Wshift-count-negative</samp> diagnostic implemented in
the C/C++ front ends, but is implemented based on analyzing
interprocedural paths, rather than merely parsing the syntax tree.
However, the analyzer does not prioritize detection of such paths, so
false negatives are more likely relative to other warnings.
</p>
<span id="index-Wanalyzer_002dshift_002dcount_002doverflow"></span>
<span id="index-Wno_002danalyzer_002dshift_002dcount_002doverflow"></span>
</dd>
<dt><code>-Wno-analyzer-shift-count-overflow</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-shift-count-overflow</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
shift is attempted with a count greater than or equal to the
precision of the operand&rsquo;s type.  It is analogous to
the <samp>-Wshift-count-overflow</samp> diagnostic implemented in
the C/C++ front ends, but is implemented based on analyzing
interprocedural paths, rather than merely parsing the syntax tree.
However, the analyzer does not prioritize detection of such paths, so
false negatives are more likely relative to other warnings.
</p>
<span id="index-Wanalyzer_002dstale_002dsetjmp_002dbuffer"></span>
<span id="index-Wno_002danalyzer_002dstale_002dsetjmp_002dbuffer"></span>
</dd>
<dt><code>-Wno-analyzer-stale-setjmp-buffer</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-stale-setjmp-buffer</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which
<code>longjmp</code> is called to rewind to a <code>jmp_buf</code> relating
to a <code>setjmp</code> call in a function that has returned.
</p>
<p>When <code>setjmp</code> is called on a <code>jmp_buf</code> to record a rewind
location, it records the stack frame.  The stack frame becomes invalid
when the function containing the <code>setjmp</code> call returns.  Attempting
to rewind to it via <code>longjmp</code> would reference a stack frame that
no longer exists, and likely lead to a crash (or worse).
</p>
<span id="index-Wanalyzer_002dtainted_002dallocation_002dsize"></span>
<span id="index-Wno_002danalyzer_002dtainted_002dallocation_002dsize"></span>
</dd>
<dt><code>-Wno-analyzer-tainted-allocation-size</code></dt>
<dd><p>This warning requires both <samp>-fanalyzer</samp> and
<samp>-fanalyzer-checker=taint</samp> to enable it;
use <samp>-Wno-analyzer-tainted-allocation-size</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a value
that could be under an attacker&rsquo;s control is used as the size
of an allocation without being sanitized, so that an attacker could
inject an excessively large allocation and potentially cause a denial
of service attack.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/789.html">CWE-789: Memory Allocation with Excessive Size Value</a>.
</p>
<span id="index-Wanalyzer_002dtainted_002dassertion"></span>
<span id="index-Wno_002danalyzer_002dtainted_002dassertion"></span>
</dd>
<dt><code>-Wno-analyzer-tainted-assertion</code></dt>
<dd>
<p>This warning requires both <samp>-fanalyzer</samp> and
<samp>-fanalyzer-checker=taint</samp> to enable it;
use <samp>-Wno-analyzer-tainted-assertion</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a value
that could be under an attacker&rsquo;s control is used as part of a
condition without being first sanitized, and that condition guards a
call to a function marked with attribute <code>noreturn</code>
(such as the function <code>__builtin_unreachable</code>).  Such functions
typically indicate abnormal termination of the program, such as for
assertion failure handlers.  For example:
</p>
<div class="example">
<pre class="example">assert (some_tainted_value &lt; SOME_LIMIT);
</pre></div>

<p>In such cases:
</p>
<ul>
<li> when assertion-checking is enabled: an attacker could trigger
a denial of service by injecting an assertion failure

</li><li> when assertion-checking is disabled, such as by defining <code>NDEBUG</code>,
an attacker could inject data that subverts the process, since it
presumably violates a precondition that is being assumed by the code.

</li></ul>

<p>Note that when assertion-checking is disabled, the assertions are
typically removed by the preprocessor before the analyzer has a chance
to &quot;see&quot; them, so this diagnostic can only generate warnings on builds
in which assertion-checking is enabled.
</p>
<p>For the purpose of this warning, any function marked with attribute
<code>noreturn</code> is considered as a possible assertion failure
handler, including <code>__builtin_unreachable</code>.  Note that these functions
are sometimes removed by the optimizer before the analyzer &quot;sees&quot; them.
Hence optimization should be disabled when attempting to trigger this
diagnostic.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/617.html">CWE-617: Reachable Assertion</a>.
</p>
<p>The warning can also report problematic constructions such as
</p>
<div class="example">
<pre class="example">switch (some_tainted_value) {
case 0:
  /* [...etc; various valid cases omitted...] */
  break;

default:
  __builtin_unreachable (); /* BUG: attacker can trigger this  */
}
</pre></div>

<p>despite the above not being an assertion failure, strictly speaking.
</p>
<span id="index-Wanalyzer_002dtainted_002darray_002dindex"></span>
<span id="index-Wno_002danalyzer_002dtainted_002darray_002dindex"></span>
</dd>
<dt><code>-Wno-analyzer-tainted-array-index</code></dt>
<dd><p>This warning requires both <samp>-fanalyzer</samp> and
<samp>-fanalyzer-checker=taint</samp> to enable it;
use <samp>-Wno-analyzer-tainted-array-index</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a value
that could be under an attacker&rsquo;s control is used as the index
of an array access without being sanitized, so that an attacker
could inject an out-of-bounds access.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/129.html">CWE-129: Improper Validation of Array Index</a>.
</p>
<span id="index-Wanalyzer_002dtainted_002ddivisor"></span>
<span id="index-Wno_002danalyzer_002dtainted_002ddivisor"></span>
</dd>
<dt><code>-Wno-analyzer-tainted-divisor</code></dt>
<dd><p>This warning requires both <samp>-fanalyzer</samp> and
<samp>-fanalyzer-checker=taint</samp> to enable it;
use <samp>-Wno-analyzer-tainted-divisor</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a value
that could be under an attacker&rsquo;s control is used as the divisor
in a division or modulus operation without being sanitized, so that
an attacker could inject a division-by-zero.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/369.html">CWE-369: Divide By Zero</a>.
</p>
<span id="index-Wanalyzer_002dtainted_002doffset"></span>
<span id="index-Wno_002danalyzer_002dtainted_002doffset"></span>
</dd>
<dt><code>-Wno-analyzer-tainted-offset</code></dt>
<dd><p>This warning requires both <samp>-fanalyzer</samp> and
<samp>-fanalyzer-checker=taint</samp> to enable it;
use <samp>-Wno-analyzer-tainted-offset</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a value
that could be under an attacker&rsquo;s control is used as a pointer offset
without being sanitized, so that an attacker could inject an out-of-bounds
access.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/823.html">CWE-823: Use of Out-of-range Pointer Offset</a>.
</p>
<span id="index-Wanalyzer_002dtainted_002dsize"></span>
<span id="index-Wno_002danalyzer_002dtainted_002dsize"></span>
</dd>
<dt><code>-Wno-analyzer-tainted-size</code></dt>
<dd><p>This warning requires both <samp>-fanalyzer</samp> and
<samp>-fanalyzer-checker=taint</samp> to enable it;
use <samp>-Wno-analyzer-tainted-size</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a value
that could be under an attacker&rsquo;s control is used as the size of
an operation such as <code>memset</code> without being sanitized, so that an
attacker could inject an out-of-bounds access.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/129.html">CWE-129: Improper Validation of Array Index</a>.
</p>
<span id="index-Wanalyzer_002dunsafe_002dcall_002dwithin_002dsignal_002dhandler"></span>
<span id="index-Wno_002danalyzer_002dunsafe_002dcall_002dwithin_002dsignal_002dhandler"></span>
</dd>
<dt><code>-Wno-analyzer-unsafe-call-within-signal-handler</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-unsafe-call-within-signal-handler</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
function known to be async-signal-unsafe (such as <code>fprintf</code>) is
called from a signal handler.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/479.html">CWE-479: Signal Handler Use of a Non-reentrant Function</a>.
</p>
<span id="index-Wanalyzer_002duse_002dafter_002dfree"></span>
<span id="index-Wno_002danalyzer_002duse_002dafter_002dfree"></span>
</dd>
<dt><code>-Wno-analyzer-use-after-free</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-use-after-free</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a
pointer is used after a deallocator is called on it: either <code>free</code>,
or a deallocator referenced by attribute <code>malloc</code>.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a>.
</p>
<span id="index-Wanalyzer_002duse_002dof_002dpointer_002din_002dstale_002dstack_002dframe"></span>
<span id="index-Wno_002danalyzer_002duse_002dof_002dpointer_002din_002dstale_002dstack_002dframe"></span>
</dd>
<dt><code>-Wno-analyzer-use-of-pointer-in-stale-stack-frame</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-use-of-pointer-in-stale-stack-frame</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which a pointer
is dereferenced that points to a variable in a stale stack frame.
</p>
<span id="index-Wanalyzer_002dva_002darg_002dtype_002dmismatch"></span>
<span id="index-Wno_002danalyzer_002dva_002darg_002dtype_002dmismatch"></span>
</dd>
<dt><code>-Wno-analyzer-va-arg-type-mismatch</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-va-arg-type-mismatch</samp>
to disable it.
</p>
<p>This diagnostic warns for interprocedural paths through the code for which
the analyzer detects an attempt to use <code>va_arg</code> to extract a value
passed to a variadic call, but uses a type that does not match that of
the expression passed to the call.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/686.html">CWE-686: Function Call With Incorrect Argument Type</a>.
</p>
<span id="index-Wanalyzer_002dva_002dlist_002dexhausted"></span>
<span id="index-Wno_002danalyzer_002dva_002dlist_002dexhausted"></span>
</dd>
<dt><code>-Wno-analyzer-va-list-exhausted</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-va-list-exhausted</samp>
to disable it.
</p>
<p>This diagnostic warns for interprocedural paths through the code for which
the analyzer detects an attempt to use <code>va_arg</code> to access the next
value passed to a variadic call, but all of the values in the
<code>va_list</code> have already been consumed.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/685.html">CWE-685: Function Call With Incorrect Number of Arguments</a>.
</p>
<span id="index-Wanalyzer_002dva_002dlist_002dleak"></span>
<span id="index-Wno_002danalyzer_002dva_002dlist_002dleak"></span>
</dd>
<dt><code>-Wno-analyzer-va-list-leak</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-va-list-leak</samp>
to disable it.
</p>
<p>This diagnostic warns for interprocedural paths through the code for which
the analyzer detects that <code>va_start</code> or <code>va_copy</code> has been called
on a <code>va_list</code> without a corresponding call to <code>va_end</code>.
</p>
<span id="index-Wanalyzer_002dva_002dlist_002duse_002dafter_002dva_002dend"></span>
<span id="index-Wno_002danalyzer_002dva_002dlist_002duse_002dafter_002dva_002dend"></span>
</dd>
<dt><code>-Wno-analyzer-va-list-use-after-va-end</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-va-list-use-after-va-end</samp>
to disable it.
</p>
<p>This diagnostic warns for interprocedural paths through the code for which
the analyzer detects an attempt to use a <code>va_list</code>  after
<code>va_end</code> has been called on it.
<code>va_list</code>.
</p>
<span id="index-Wanalyzer_002dwrite_002dto_002dconst"></span>
<span id="index-Wno_002danalyzer_002dwrite_002dto_002dconst"></span>
</dd>
<dt><code>-Wno-analyzer-write-to-const</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-write-to-const</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which the analyzer
detects an attempt to write through a pointer to a <code>const</code> object.
However, the analyzer does not prioritize detection of such paths, so
false negatives are more likely relative to other warnings.
</p>
<span id="index-Wanalyzer_002dwrite_002dto_002dstring_002dliteral"></span>
<span id="index-Wno_002danalyzer_002dwrite_002dto_002dstring_002dliteral"></span>
</dd>
<dt><code>-Wno-analyzer-write-to-string-literal</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-write-to-string-literal</samp>
to disable it.
</p>
<p>This diagnostic warns for paths through the code in which the analyzer
detects an attempt to write through a pointer to a string literal.
However, the analyzer does not prioritize detection of such paths, so
false negatives are more likely relative to other warnings.
</p>
<span id="index-Wanalyzer_002duse_002dof_002duninitialized_002dvalue"></span>
<span id="index-Wno_002danalyzer_002duse_002dof_002duninitialized_002dvalue"></span>
</dd>
<dt><code>-Wno-analyzer-use-of-uninitialized-value</code></dt>
<dd><p>This warning requires <samp>-fanalyzer</samp>, which enables it; use
<samp>-Wno-analyzer-use-of-uninitialized-value</samp> to disable it.
</p>
<p>This diagnostic warns for paths through the code in which an uninitialized
value is used.
</p>
<p>See <a href="https://cwe.mitre.org/data/definitions/457.html">CWE-457: Use of Uninitialized Variable</a>.
</p>
</dd>
</dl>

<p>The analyzer has hardcoded knowledge about the behavior of the following
memory-management functions:
</p>
<ul>
<li> <code>alloca</code>
</li><li> The built-in functions <code>__builtin_alloc</code>,
<code>__builtin_alloc_with_align</code>, </li><li> <code>__builtin_calloc</code>,
<code>__builtin_free</code>, <code>__builtin_malloc</code>, <code>__builtin_memcpy</code>,
<code>__builtin_memcpy_chk</code>, <code>__builtin_memset</code>,
<code>__builtin_memset_chk</code>, <code>__builtin_realloc</code>,
<code>__builtin_stack_restore</code>, and <code>__builtin_stack_save</code>
</li><li> <code>calloc</code>
</li><li> <code>free</code>
</li><li> <code>malloc</code>
</li><li> <code>memset</code>
</li><li> <code>operator delete</code>
</li><li> <code>operator delete []</code>
</li><li> <code>operator new</code>
</li><li> <code>operator new []</code>
</li><li> <code>realloc</code>
</li><li> <code>strdup</code>
</li><li> <code>strndup</code>
</li></ul>

<p>of the following functions for working with file descriptors:
</p>
<ul>
<li> <code>open</code>
</li><li> <code>close</code>
</li><li> <code>creat</code>
</li><li> <code>dup</code>, <code>dup2</code> and <code>dup3</code>
</li><li> <code>isatty</code>
</li><li> <code>pipe</code>, and <code>pipe2</code>
</li><li> <code>read</code>
</li><li> <code>write</code>
</li><li> <code>socket</code>, <code>bind</code>, <code>listen</code>, <code>accept</code>, and <code>connect</code>
</li></ul>

<p>of the following functions for working with <code>&lt;stdio.h&gt;</code> streams:
</p><ul>
<li> The built-in functions <code>__builtin_fprintf</code>,
<code>__builtin_fprintf_unlocked</code>, <code>__builtin_fputc</code>,
<code>__builtin_fputc_unlocked</code>, <code>__builtin_fputs</code>,
<code>__builtin_fputs_unlocked</code>, <code>__builtin_fwrite</code>,
<code>__builtin_fwrite_unlocked</code>, <code>__builtin_printf</code>,
<code>__builtin_printf_unlocked</code>, <code>__builtin_putc</code>,
<code>__builtin_putchar</code>, <code>__builtin_putchar_unlocked</code>,
<code>__builtin_putc_unlocked</code>, <code>__builtin_puts</code>,
<code>__builtin_puts_unlocked</code>, <code>__builtin_vfprintf</code>, and
<code>__builtin_vprintf</code>
</li><li> <code>fopen</code>
</li><li> <code>fclose</code>
</li><li> <code>ferror</code>
</li><li> <code>fgets</code>
</li><li> <code>fgets_unlocked</code>
</li><li> <code>fileno</code>
</li><li> <code>fread</code>
</li><li> <code>getc</code>
</li><li> <code>getchar</code>
</li><li> <code>fprintf</code>
</li><li> <code>printf</code>
</li><li> <code>fwrite</code>
</li></ul>

<p>and of the following functions:
</p>
<ul>
<li> The built-in functions <code>__builtin_expect</code>,
<code>__builtin_expect_with_probability</code>, <code>__builtin_strchr</code>,
<code>__builtin_strcpy</code>, <code>__builtin_strcpy_chk</code>,
<code>__builtin_strlen</code>, <code>__builtin_va_copy</code>, and
<code>__builtin_va_start</code>
</li><li> The GNU extensions <code>error</code> and <code>error_at_line</code>
</li><li> <code>getpass</code>
</li><li> <code>longjmp</code>
</li><li> <code>putenv</code>
</li><li> <code>setjmp</code>
</li><li> <code>siglongjmp</code>
</li><li> <code>signal</code>
</li><li> <code>sigsetjmp</code>
</li><li> <code>strchr</code>
</li><li> <code>strlen</code>
</li></ul>

<p>In addition, various functions with an <code>__analyzer_</code> prefix have
special meaning to the analyzer, described in the GCC Internals manual.
</p>
<p>Pertinent parameters for controlling the exploration are:
</p><ul>
<li> <samp>--param analyzer-bb-explosion-factor=<var>value</var></samp>
</li><li> <samp>--param analyzer-max-enodes-per-program-point=<var>value</var></samp>
</li><li> <samp>--param analyzer-max-recursion-depth=<var>value</var></samp>
</li><li> <samp>--param analyzer-min-snodes-for-call-summary=<var>value</var></samp>
</li></ul>

<p>The following options control the analyzer.
</p>
<dl compact="compact">
<dd>
<span id="index-fanalyzer_002dcall_002dsummaries"></span>
<span id="index-fno_002danalyzer_002dcall_002dsummaries"></span>
</dd>
<dt><code>-fanalyzer-call-summaries</code></dt>
<dd><p>Simplify interprocedural analysis by computing the effect of certain calls,
rather than exploring all paths through the function from callsite to each
possible return.
</p>
<p>If enabled, call summaries are only used for functions with more than one
call site, and that are sufficiently complicated (as per
<samp>--param analyzer-min-snodes-for-call-summary=<var>value</var></samp>).
</p>
<span id="index-fanalyzer_002dchecker"></span>
</dd>
<dt><code>-fanalyzer-checker=<var>name</var></code></dt>
<dd><p>Restrict the analyzer to run just the named checker, and enable it.
</p>
<p>Some checkers are disabled by default (even with <samp>-fanalyzer</samp>),
such as the <code>taint</code> checker that implements
<samp>-Wanalyzer-tainted-array-index</samp>, and this option is required
to enable them.
</p>
<p><em>Note:</em> currently, <samp>-fanalyzer-checker=taint</samp> disables the
following warnings from <samp>-fanalyzer</samp>:
</p>
<div class="example">
<pre class="example">-Wanalyzer-deref-before-check
-Wanalyzer-double-fclose
-Wanalyzer-double-free
-Wanalyzer-exposure-through-output-file
-Wanalyzer-fd-access-mode-mismatch
-Wanalyzer-fd-double-close
-Wanalyzer-fd-leak
-Wanalyzer-fd-use-after-close
-Wanalyzer-fd-use-without-check
-Wanalyzer-file-leak
-Wanalyzer-free-of-non-heap
-Wanalyzer-malloc-leak
-Wanalyzer-mismatching-deallocation
-Wanalyzer-null-argument
-Wanalyzer-null-dereference
-Wanalyzer-possible-null-argument
-Wanalyzer-possible-null-dereference
-Wanalyzer-unsafe-call-within-signal-handler
-Wanalyzer-use-after-free
-Wanalyzer-va-list-leak
-Wanalyzer-va-list-use-after-va-end

</pre></div>

<span id="index-fanalyzer_002dfeasibility"></span>
<span id="index-fno_002danalyzer_002dfeasibility"></span>
</dd>
<dt><code>-fno-analyzer-feasibility</code></dt>
<dd><p>This option is intended for analyzer developers.
</p>
<p>By default the analyzer verifies that there is a feasible control flow path
for each diagnostic it emits: that the conditions that hold are not mutually
exclusive.  Diagnostics for which no feasible path can be found are rejected.
This filtering can be suppressed with <samp>-fno-analyzer-feasibility</samp>, for
debugging issues in this code.
</p>
<span id="index-fanalyzer_002dfine_002dgrained"></span>
<span id="index-fno_002danalyzer_002dfine_002dgrained"></span>
</dd>
<dt><code>-fanalyzer-fine-grained</code></dt>
<dd><p>This option is intended for analyzer developers.
</p>
<p>Internally the analyzer builds an &ldquo;exploded graph&rdquo; that combines
control flow graphs with data flow information.
</p>
<p>By default, an edge in this graph can contain the effects of a run
of multiple statements within a basic block.  With
<samp>-fanalyzer-fine-grained</samp>, each statement gets its own edge.
</p>
<span id="index-fanalyzer_002dshow_002dduplicate_002dcount"></span>
<span id="index-fno_002danalyzer_002dshow_002dduplicate_002dcount"></span>
</dd>
<dt><code>-fanalyzer-show-duplicate-count</code></dt>
<dd><p>This option is intended for analyzer developers: if multiple diagnostics
have been detected as being duplicates of each other, it emits a note when
reporting the best diagnostic, giving the number of additional diagnostics
that were suppressed by the deduplication logic.
</p>
<span id="index-fanalyzer_002dstate_002dmerge"></span>
<span id="index-fno_002danalyzer_002dstate_002dmerge"></span>
</dd>
<dt><code>-fno-analyzer-state-merge</code></dt>
<dd><p>This option is intended for analyzer developers.
</p>
<p>By default the analyzer attempts to simplify analysis by merging
sufficiently similar states at each program point as it builds its
&ldquo;exploded graph&rdquo;.  With <samp>-fno-analyzer-state-merge</samp> this
merging can be suppressed, for debugging state-handling issues.
</p>
<span id="index-fanalyzer_002dstate_002dpurge"></span>
<span id="index-fno_002danalyzer_002dstate_002dpurge"></span>
</dd>
<dt><code>-fno-analyzer-state-purge</code></dt>
<dd><p>This option is intended for analyzer developers.
</p>
<p>By default the analyzer attempts to simplify analysis by purging
aspects of state at a program point that appear to no longer be relevant
e.g. the values of locals that aren&rsquo;t accessed later in the function
and which aren&rsquo;t relevant to leak analysis.
</p>
<p>With <samp>-fno-analyzer-state-purge</samp> this purging of state can
be suppressed, for debugging state-handling issues.
</p>
<span id="index-fanalyzer_002dsuppress_002dfollowups"></span>
<span id="index-fno_002danalyzer_002dsuppress_002dfollowups"></span>
</dd>
<dt><code>-fno-analyzer-suppress-followups</code></dt>
<dd><p>This option is intended for analyzer developers.
</p>
<p>By default the analyzer will stop exploring an execution path after
encountering certain diagnostics, in order to avoid potentially issuing a
cascade of follow-up diagnostics.
</p>
<p>The diagnostics that terminate analysis along a path are:
</p>
<ul>
<li> <samp>-Wanalyzer-null-argument</samp>
</li><li> <samp>-Wanalyzer-null-dereference</samp>
</li><li> <samp>-Wanalyzer-use-after-free</samp>
</li><li> <samp>-Wanalyzer-use-of-pointer-in-stale-stack-frame</samp>
</li><li> <samp>-Wanalyzer-use-of-uninitialized-value</samp>
</li></ul>

<p>With <samp>-fno-analyzer-suppress-followups</samp> the analyzer will
continue to explore such paths even after such diagnostics, which may
be helpful for debugging issues in the analyzer, or for microbenchmarks
for detecting undefined behavior.
</p>
<span id="index-fanalyzer_002dtransitivity"></span>
<span id="index-fno_002danalyzer_002dtransitivity"></span>
</dd>
<dt><code>-fanalyzer-transitivity</code></dt>
<dd><p>This option enables transitivity of constraints within the analyzer.
</p>
<span id="index-fanalyzer_002dundo_002dinlining"></span>
<span id="index-fno_002danalyzer_002dundo_002dinlining"></span>
</dd>
<dt><code>-fno-analyzer-undo-inlining</code></dt>
<dd><p>This option is intended for analyzer developers.
</p>
<p><samp>-fanalyzer</samp> runs relatively late compared to other code analysis
tools, and some optimizations have already been applied to the code.  In
particular function inlining may have occurred, leading to the
interprocedural execution paths emitted by the analyzer containing
function frames that don&rsquo;t correspond to those in the original source
code.
</p>
<p>By default the analyzer attempts to reconstruct the original function
frames, and to emit events showing the inlined calls.
</p>
<p>With <samp>-fno-analyzer-undo-inlining</samp> this attempt to reconstruct
the original frame information can be be disabled, which may be of help
when debugging issues in the analyzer.
</p>
</dd>
<dt><code>-fanalyzer-verbose-edges</code></dt>
<dd><p>This option is intended for analyzer developers.  It enables more
verbose, lower-level detail in the descriptions of control flow
within diagnostic paths.
</p>
</dd>
<dt><code>-fanalyzer-verbose-state-changes</code></dt>
<dd><p>This option is intended for analyzer developers.  It enables more
verbose, lower-level detail in the descriptions of events relating
to state machines within diagnostic paths.
</p>
</dd>
<dt><code>-fanalyzer-verbosity=<var>level</var></code></dt>
<dd><p>This option controls the complexity of the control flow paths that are
emitted for analyzer diagnostics.
</p>
<p>The <var>level</var> can be one of:
</p>
<dl compact="compact">
<dt>&lsquo;<samp>0</samp>&rsquo;</dt>
<dd><p>At this level, interprocedural call and return events are displayed,
along with the most pertinent state-change events relating to
a diagnostic.  For example, for a double-<code>free</code> diagnostic,
both calls to <code>free</code> will be shown.
</p>
</dd>
<dt>&lsquo;<samp>1</samp>&rsquo;</dt>
<dd><p>As per the previous level, but also show events for the entry
to each function.
</p>
</dd>
<dt>&lsquo;<samp>2</samp>&rsquo;</dt>
<dd><p>As per the previous level, but also show events relating to
control flow that are significant to triggering the issue
(e.g. &ldquo;true path taken&rdquo; at a conditional).
</p>
<p>This level is the default.
</p>
</dd>
<dt>&lsquo;<samp>3</samp>&rsquo;</dt>
<dd><p>As per the previous level, but show all control flow events, not
just significant ones.
</p>
</dd>
<dt>&lsquo;<samp>4</samp>&rsquo;</dt>
<dd><p>This level is intended for analyzer developers; it adds various
other events intended for debugging the analyzer.
</p>
</dd>
</dl>

<span id="index-fdump_002danalyzer"></span>
</dd>
<dt><code>-fdump-analyzer</code></dt>
<dd><p>Dump internal details about what the analyzer is doing to
<samp><var>file</var>.analyzer.txt</samp>.
<samp>-fdump-analyzer-stderr</samp> overrides this option.
</p>
<span id="index-fdump_002danalyzer_002dstderr"></span>
</dd>
<dt><code>-fdump-analyzer-stderr</code></dt>
<dd><p>Dump internal details about what the analyzer is doing to stderr.
This option overrides <samp>-fdump-analyzer</samp>.
</p>
<span id="index-fdump_002danalyzer_002dcallgraph"></span>
</dd>
<dt><code>-fdump-analyzer-callgraph</code></dt>
<dd><p>Dump a representation of the call graph suitable for viewing with
GraphViz to <samp><var>file</var>.callgraph.dot</samp>.
</p>
<span id="index-fdump_002danalyzer_002dexploded_002dgraph"></span>
</dd>
<dt><code>-fdump-analyzer-exploded-graph</code></dt>
<dd><p>Dump a representation of the &ldquo;exploded graph&rdquo; suitable for viewing with
GraphViz to <samp><var>file</var>.eg.dot</samp>.
Nodes are color-coded based on state-machine states to emphasize
state changes.
</p>
<span id="index-dump_002danalyzer_002dexploded_002dnodes"></span>
</dd>
<dt><code>-fdump-analyzer-exploded-nodes</code></dt>
<dd><p>Emit diagnostics showing where nodes in the &ldquo;exploded graph&rdquo; are
in relation to the program source.
</p>
<span id="index-dump_002danalyzer_002dexploded_002dnodes_002d2"></span>
</dd>
<dt><code>-fdump-analyzer-exploded-nodes-2</code></dt>
<dd><p>Dump a textual representation of the &ldquo;exploded graph&rdquo; to
<samp><var>file</var>.eg.txt</samp>.
</p>
<span id="index-dump_002danalyzer_002dexploded_002dnodes_002d3"></span>
</dd>
<dt><code>-fdump-analyzer-exploded-nodes-3</code></dt>
<dd><p>Dump a textual representation of the &ldquo;exploded graph&rdquo; to
one dump file per node, to <samp><var>file</var>.eg-<var>id</var>.txt</samp>.
This is typically a large number of dump files.
</p>
<span id="index-fdump_002danalyzer_002dexploded_002dpaths"></span>
</dd>
<dt><code>-fdump-analyzer-exploded-paths</code></dt>
<dd><p>Dump a textual representation of the &ldquo;exploded path&rdquo; for each
diagnostic to <samp><var>file</var>.<var>idx</var>.<var>kind</var>.epath.txt</samp>.
</p>
<span id="index-dump_002danalyzer_002dfeasibility"></span>
</dd>
<dt><code>-fdump-analyzer-feasibility</code></dt>
<dd><p>Dump internal details about the analyzer&rsquo;s search for feasible paths.
The details are written in a form suitable for viewing with GraphViz
to filenames of the form <samp><var>file</var>.*.fg.dot</samp>,
<samp><var>file</var>.*.tg.dot</samp>, and <samp><var>file</var>.*.fpath.txt</samp>.
</p>
<span id="index-fdump_002danalyzer_002djson"></span>
</dd>
<dt><code>-fdump-analyzer-json</code></dt>
<dd><p>Dump a compressed JSON representation of analyzer internals to
<samp><var>file</var>.analyzer.json.gz</samp>.  The precise format is subject
to change.
</p>
<span id="index-fdump_002danalyzer_002dstate_002dpurge"></span>
</dd>
<dt><code>-fdump-analyzer-state-purge</code></dt>
<dd><p>As per <samp>-fdump-analyzer-supergraph</samp>, dump a representation of the
&ldquo;supergraph&rdquo; suitable for viewing with GraphViz, but annotate the
graph with information on what state will be purged at each node.
The graph is written to <samp><var>file</var>.state-purge.dot</samp>.
</p>
<span id="index-fdump_002danalyzer_002dsupergraph"></span>
</dd>
<dt><code>-fdump-analyzer-supergraph</code></dt>
<dd><p>Dump representations of the &ldquo;supergraph&rdquo; suitable for viewing with
GraphViz to <samp><var>file</var>.supergraph.dot</samp> and to
<samp><var>file</var>.supergraph-eg.dot</samp>.  These show all of the
control flow graphs in the program, with interprocedural edges for
calls and returns.  The second dump contains annotations showing nodes
in the &ldquo;exploded graph&rdquo; and diagnostics associated with them.
</p>
<span id="index-fdump_002danalyzer_002duntracked"></span>
</dd>
<dt><code>-fdump-analyzer-untracked</code></dt>
<dd><p>Emit custom warnings with internal details intended for analyzer developers.
</p>
</dd>
</dl>

<hr>
<div class="header">
<p>
Next: <a href="Debugging-Options.html" accesskey="n" rel="next">Debugging Options</a>, Previous: <a href="Warning-Options.html" accesskey="p" rel="prev">Warning Options</a>, Up: <a href="Invoking-GCC.html" accesskey="u" rel="up">Invoking GCC</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Indices.html" title="Index" rel="index">Index</a>]</p>
</div>



</body>
</html>
